// For flags

CVE-2021-35517

Apache Commons Compress 1.1 to 1.20 denial of service vulnerability

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Cuando se lee un archivo TAR especialmente diseñado, Compress puede asignar grandes cantidades de memoria que finalmente conllevan a un error de falta de memoria incluso para entradas muy pequeñas. Esto podría ser usado para montar un ataque de denegación de servicio contra servicios que usan el paquete tar de Compress

A flaw was found in apache-commons-compress. When reading a specially crafted TAR archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress' TAR package. The highest threat from this vulnerability is to system availability.

*Credits: This issue was discovered by OSS Fuzz.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-06-27 CVE Reserved
  • 2021-07-13 CVE Published
  • 2024-03-28 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-130: Improper Handling of Length Parameter Inconsistency
  • CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (24)
URL Tag Source
http://www.openwall.com/lists/oss-security/2021/07/13/3 Mailing List
http://www.openwall.com/lists/oss-security/2021/07/13/5 Mailing List
https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E Mailing List
https://security.netapp.com/advisory/ntap-20211022-0001 Third Party Advisory
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Commons Compress
Search vendor "Apache" for product "Commons Compress"
>= 1.1 <= 1.20
Search vendor "Apache" for product "Commons Compress" and version " >= 1.1 <= 1.20"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-linux
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
-windows
Affected
Netapp
Search vendor "Netapp"
Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
--
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
>= 18.1 <= 18.3
Search vendor "Oracle" for product "Banking Apis" and version " >= 18.1 <= 18.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
19.1
Search vendor "Oracle" for product "Banking Apis" and version "19.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
19.2
Search vendor "Oracle" for product "Banking Apis" and version "19.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
20.1
Search vendor "Oracle" for product "Banking Apis" and version "20.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
21.1
Search vendor "Oracle" for product "Banking Apis" and version "21.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
>= 18.1 <= 18.3
Search vendor "Oracle" for product "Banking Digital Experience" and version " >= 18.1 <= 18.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
19.1
Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
19.2
Search vendor "Oracle" for product "Banking Digital Experience" and version "19.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
20.1
Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
21.1
Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Enterprise Default Management
Search vendor "Oracle" for product "Banking Enterprise Default Management"
2.7.0
Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Party Management
Search vendor "Oracle" for product "Banking Party Management"
2.7.0
Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Payments
Search vendor "Oracle" for product "Banking Payments"
14.5
Search vendor "Oracle" for product "Banking Payments" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Trade Finance
Search vendor "Oracle" for product "Banking Trade Finance"
14.5
Search vendor "Oracle" for product "Banking Trade Finance" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Treasury Management
Search vendor "Oracle" for product "Banking Treasury Management"
14.5
Search vendor "Oracle" for product "Banking Treasury Management" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Commerce Guided Search
Search vendor "Oracle" for product "Commerce Guided Search"
11.3.2
Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"
-
Affected
Oracle
Search vendor "Oracle"
Communications Billing And Revenue Management
Search vendor "Oracle" for product "Communications Billing And Revenue Management"
12.0.0.4
Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0.0.4"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Service Communication Proxy
Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"
1.14.0
Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.14.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Cloud Native Core Unified Data Repository
Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"
1.14.0
Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.14.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Intelligence Hub
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"
>= 8.0.0 <= 8.2.3
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.0.0 <= 8.2.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Session Route Manager
Search vendor "Oracle" for product "Communications Session Route Manager"
>= 8.0.0 <= 8.2.5
Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.5"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Crime And Compliance Management Studio
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"
8.0.8.2.0
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Crime And Compliance Management Studio
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"
8.0.8.3.0
Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.0.7.2.0
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Enterprise Case Management
Search vendor "Oracle" for product "Financial Services Enterprise Case Management"
8.0.8.1.0
Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Universal Banking
Search vendor "Oracle" for product "Flexcube Universal Banking"
>= 14.0.0 <= 14.3.0
Search vendor "Oracle" for product "Flexcube Universal Banking" and version " >= 14.0.0 <= 14.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Universal Banking
Search vendor "Oracle" for product "Flexcube Universal Banking"
12.4
Search vendor "Oracle" for product "Flexcube Universal Banking" and version "12.4"
-
Affected
Oracle
Search vendor "Oracle"
Flexcube Universal Banking
Search vendor "Oracle" for product "Flexcube Universal Banking"
14.5
Search vendor "Oracle" for product "Flexcube Universal Banking" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Healthcare Data Repository
Search vendor "Oracle" for product "Healthcare Data Repository"
8.1.0
Search vendor "Oracle" for product "Healthcare Data Repository" and version "8.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Insurance Policy Administration
Search vendor "Oracle" for product "Insurance Policy Administration"
11.0.2
Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.0.2"
-
Affected
Oracle
Search vendor "Oracle"
Insurance Policy Administration
Search vendor "Oracle" for product "Insurance Policy Administration"
11.1.0
Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Insurance Policy Administration
Search vendor "Oracle" for product "Insurance Policy Administration"
11.2.8
Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.2.8"
-
Affected
Oracle
Search vendor "Oracle"
Insurance Policy Administration
Search vendor "Oracle" for product "Insurance Policy Administration"
11.3.0
Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Insurance Policy Administration
Search vendor "Oracle" for product "Insurance Policy Administration"
11.3.1
Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.57
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
>= 17.7 <= 17.12
Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
19.12
Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
20.12
Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"
-
Affected
Oracle
Search vendor "Oracle"
Utilities Testing Accelerator
Search vendor "Oracle" for product "Utilities Testing Accelerator"
6.0.0.1.1
Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.1.1"
-
Affected
Oracle
Search vendor "Oracle"
Utilities Testing Accelerator
Search vendor "Oracle" for product "Utilities Testing Accelerator"
6.0.0.2.2
Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.2.2"
-
Affected
Oracle
Search vendor "Oracle"
Utilities Testing Accelerator
Search vendor "Oracle" for product "Utilities Testing Accelerator"
6.0.0.3.1
Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.3.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.4.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Messaging Server
Search vendor "Oracle" for product "Communications Messaging Server"
8.1
Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"
-
Affected